Setup IIS to require client certificate and to use anonymous authentication

I have a WCF web service for our customers to use. I want to protect this using client certificates. I will also use the client certificate to identify the customer.

I've made the identification part work, but I cannot make make the IIS require client certificates.

If I set the IIS to accept client certificates, the communication works and I can get the client identity using:

ServiceSecurityContext.Current.PrimaryIdentity.Name

But I can also access the site without a client certificate. I'm not sure if those without can do anything else than read the WSDL, but I don't want anyone without a trusted certificate to be able to get any information at all.

If I set the IIS to require client certificate, my test client who should have access gets the error:

The HTTP request was forbidden with client authentication scheme 'Anonymous'.

I want to allow access only to those who have a client certificate trusted by the server. Anyone else shall be rejected.

1 Answer
1

Ok we have done the same as you. We worked the other way around. We first secured IIS with the client & server certificate. We did this on IIS Express (still in development while I'm posting this). We allowed in IIS express applicationhost.config to overwrite specific parts of the web.config. I.e.: <section name="windowsAuthentication" overrideModeDefault="Allow" />

change the ThumpPrint to the ThumpPrint of the certificate with subject name iisurl.
I recommend you fully automate this with powershell, we have this to, so we can develop on multiple machines. But i can't past all of it here.

I hope this helps you. With this config, if you browse over https to the url iisurl/OrderService It asks you for a client certificate. (In IE)